Charles Lyons-Burt
According to Mark Hogenmiller, chief transformation officer at Aeyon, keeping up with acquisition policies and cybersecurity demands are the responsibility of everyone on a company’s team, not just its C-suite. It is only via thorough comprehension and collaborative initiatives that government contracting companies like Aeyon keep their data secure and are able to competitively vie for new awards.
Hogenmiller, a certified professional contractors manager — a.k.a. CPCM — and project management professional, or PMP, knows this from his time spent on both sides of the GovCon equation. He is a U.S. Navy veteran who worked for the service branch as a procurement analyst with the Deputy Assistant Secretary of the Navy, Acquisition Management, wherein he advised on acquisition, e-business policy and information technology portfolio management, among other areas. He then enjoyed stints at Integrity Management Consulting as chief operating officer and as a managing director at KPMG LLP, before coming to Aeyon in 2014.
In this Spotlight interview, Hogenmiller spoke with ExecutiveBiz about the ever-evolving cybersphere and its impacts on GovCon, tools and strategies to aid data organization and more.
Everyone in the GovCon sector has a direct involvement in cybersecurity and the cyber realm. Register today at the early bird rate for Potomac Officers Club’s 2024 Cyber Summit. Held on June 6, the event will feature the DOD’s cyber expert David McKeown among many others. Come prepared for a high-stakes, information-packed day of keynotes, panels and networking opportunities.
Can you talk about how cybersecurity has impacted or changed the national security paradigm? What new trends or shifts are you seeing at the intersection of cybersecurity and national security, and how are those trends influencing the public sector today?
Many of the discussions over the past year have centered around how generative artificial intelligence will impact how we will conduct business both in the commercial and federal sectors. These discussions start out with a conversation about technology, but quickly a dialogue on data management and information security breaks out. This happens for several reasons; one is that cybersecurity can be enhanced by using AI tools to detect threat actors, but also that threat actors are also using AI tools to defeat cybersecurity efforts.
The second is that in the rush to deploy new AI tools and techniques companies and clients are realizing that their fundamental underlying IT security posture is not at an acceptable level to defeat these new threats. This has spurred companies and the federal government to review their IT security policies, tools and techniques to respond to the increasing threat and be prepared to take advantage of AI to further national security efforts.
Do you think the United States’ cybersecurity efforts are keeping up with demand? If not, how can we accelerate and broaden cybersecurity?
U.S. cybersecurity efforts are keeping up with the demand, but companies need to understand these tools and technologies, and the underlying investment that is required in terms of meeting the demands of their business. The critical component in basic cybersecurity remains the “insider threat.” We consistently seek to discover when employees are intentionally circumventing security controls but have not understood the unintentional compromise of data that can occur. The recent ease of generative AI solutions has led to employees unintentionally providing these tools/applications with proprietary or sensitive data without a basic understanding of the underlying security model and its use of the data.
Cybersecurity threat actors have realized that corporations have fortified their company infrastructures and that the best way to gain access is by attacking personnel devices/credentials that can create an open door to company sensitive information. Continuous training of employees needs to go beyond annual training to remain vigilant on the continuing changes in the cybersecurity threat posture. This also includes both from a company perspective and their personal information.
What kind of tools and technologies can organizations use to make their data more accessible and understandable?
When the COVID-19 pandemic started in March 2020, it immediately led to a rise in the number of applications needed to make data and information more accessible, allowing corporations to maintain productivity in a remote environment. However, this has led to an increase in the number of “shadow applications” that business units were able to quickly deploy in a cloud-based distributive environment.
The increase in productivity has also led to the increased exposure to applications not understood or under control of the IT department. Recent headlines have been saturated with incidents of cloud-based applications that needed to be taken down due to vulnerabilities that have been exploited by cyber attackers. Chief information officers and chief technology officers need to have an overall understanding of the business needs and how a company’s IT architecture can fulfill these needs, while protecting personal, company and client data.
In addition, companies must also understand its data ecosystem so that data and information remains interoperable and understood amongst these applications. Companies rushing to deploy AI solutions have again realized that without a fundamental understanding of the data ecosystem, they will not be better enabled through sophisticated technology.
As a federal contractor, how do you ensure your team follows U.S. acquisition policies and processes while integrating your commercial capabilities and technologies — without sacrificing the quality of your work?
Federal contractors need to be aware that following U.S. acquisition policies and processes is not a corporate headquarters function, it is a function of all members of the company regardless of their role. When asked where these policies reside, I answer: “In our overall corporate training program.”
Our goal is to not overwhelm employees with separate and multiple mandatory training, but to make them aware of the context of these requirements and to know when to ask for more information. Many of these policies, when discussed, usually end up back in a basic information security discussion. What information do you have access to? What can you use that information for? Who can you share that information with? How do you protect that information? If employees are aware of when to ask questions, compliance can be met without affecting time and quality.
